Increasing Cyberthreats Pose Massive Challenge for Financial Firms

Capital Markets Outlook 2015: Financial firms will increase data security spending and also strengthen critical infrastructure as the industry struggles to keep up with the scale and intensity of cyber attacks.

Challenge: The frequency and intensity of cyber attacks on financial institutions has increased exponentially in the past 12 months. In addition, the financial losses from cyber attacks have reached into the billions. Financial services organizations need to increase cyber vigilance, share threat information, and work to detect breaches more quickly.

Wall Street & Technology's Capital Markets Outlook 2015 Here are 10 topics that will be a focus for financial institutions in 2015 and beyond:

Why it’s important: Data security has always been an important topic for financial services. Protecting a client's data, or information used to make investment or trading decisions, is the highest priority. If a client can’t trust a financial firm with its information, the company will be out of business. Today, however, the threat from cyber attacks is increasing, and the hackers are more organized, well funded, and sometimes sponsored by other nations.

Global IT security spending will increase almost 8% to nearly $77 billion in 2015. – Gartner

Where the industry is now: In fact, data security has been one of Wall Street & Technology’s top Outlook topics for five of the past seven years. No other topic -- low latency/HFT, cloud, big data, social networking, risk management, or analytics -- has appeared in WS&T’s annual Capital Markets Outlook feature so many times.

That said, the cyberthreat facing financial institutions is greater today than it has been at any time in the past. Banks report being probed for weaknesses continuously. "Continuously" may sound ominous, and it is. Banks are fending off attacks or detecting probes looking for weaknesses almost every minute of every day.

In 2014, data security and combating cyber attacks moved from a technology and CISO (Chief Information Security Officer) topic to an executive and board-level issue. Why? Simply put, the volume, scale, and financial losses due to attacks skyrocketed. Here are a few data points about the increasing severity of data breaches:

Cost per attack: According to the Ponemon Institute, the cost of successful cyber attacks increased to $20.8 million per financial services company in 2014.

JPMorgan hack: JPMorgan was hacked in June but didn’t detect the attack until August, resulting in the exposure of the personal information of 76 million households and 7 million small business customers.

500 million records: In the 12 months prior to October of this year, 500 million financial records have been stolen by hackers, according to the FBI. Approximately 35% of the data thefts were from website breaches, and 22% were from cyber espionage, said the FBI.

Targeting target: The retailer Target reported a mega data breach in December 2013. In all, data on 40 million credit cards and information on 70 million customers was stolen, costing the company $1.5 billion.

Focus in 2015: As the number of cyberthreats continues to increase, it has become apparent that the largest losses come from attacks that were not quickly detected. For instance, FireEye, a cyber security provider apparently notified Target of the breach on November 30 and December 2, 2013, but Target missed the notifications and didn’t react to the infiltration until the US Department of Justice contacted the retailer in mid December of that year. Home Depot, which has had 56 million cards compromised, was infiltrated over five months before the home improvement retailer discovered the breach.

Financial firms also need to do a better job of sharing security threat information. Just as law enforcement agencies now share crime information, banks, exchanges, regulators, and law enforcement also are now sharing threat data. FS-ISAC, the Financial Services Information Sharing and Analysis Center, is the global financial industry’s information sharing resource. FS-ISAC is owned by its bank members but partners with government regulators and law enforcement.

Finally, regulators and law enforcement agencies are worried about the changing nature of cyber attacks. Increasingly, attacks seem to be looking for weaknesses in the nation’s critical infrastructure instead of attacking purely for monetary gain. For instance, an attack that disabled a stock exchange’s trading systems could wreak havoc in the markets. Similarly, compromising an Automated Clearing House (ACH) network would have immediate implications for businesses and individuals who could not process payments.

Regulatory outlook: Regulators, including the Securities and Exchange Commission (SEC), the Federal Financial Institutions Examination Council (FFIEC), the US Treasury Department, and The New York Department of Financial Services have all announced guidelines for cyber security exams or increased cyberthreat sharing programs. The FFIEC completed a review of 500 banks in the summer of 2014. The US Treasury created the Cyber Intelligence Group, which shares cyber security information with the financial sector. The SEC says its cyber security and resiliency exams will be part of the regulator's normal evaluations. The New York Department of Financial Services’ announced exams will be tougher than federal regulators'. For example, the New York exam requires banks to submit documentation showing the qualification of their CISOs.

Price tag: According to a PricewaterhouseCoopers study, the average financial loss to a hack in any industry is $2.7 million. With the increase in losses, Gartner reports that global IT security spending will increase almost 8% to nearly $77 billion in 2015. Financial services organizations, on average, drastically raised their cyber budgets in 2014, and many analysts are expecting increases in 2015, although not as large a percentage as during the past 12 months.

When it comes to personal information, let's not even talk about finance figures, it's important for companies to do their utmost to ensure that all that data is protected well from any form of security attack. You'd think that in this day and age, that with technology, things would get simpler, but I suppose this is the one area where advancement has actually made it easier to steal precious information from businesses!

Good article the financial services industry has been the focus of multiple hacking attempts lately, some successful and some not so, pressure from customers and investors have forced the industry to look at cyber security seriously . I work with McGladrey and there's great advice on our webiste for financial services firms to tackle cybersecurity issues that are affecting the industry. McGladrey are also hosting a three-part webcast series to understand how you can step up your security posture and data breach preparedness you can register at the link. bit.ly/mcgldrycybersec2

How would you measure your security operation after reading this article? Do you have the utmost confidence in your team's ability to execute within your vision? Do you have a guard tour system and incident management system combo in place to put you in the Top Professional category of security operations?

The clandestine way with which Nasdaq OMX chose to deal with the departure of its chief information security officer is a far cry from all the attention grabbing headlines about cyberthreats we see every day.